Target Breach Widens: 70 Million Warned

Target discovers that personal information -- including names and contact information -- for 70 million customers was compromised in recent data breach.

Target on Friday announced that an ongoing digital forensic investigation into its recent data breach has found that personal information relating to 70 million customers was stolen.

"As part of Target's ongoing forensic investigation, it has been determined that certain guest information -- separate from the payment card data previously disclosed -- was taken during the data breach," Target said in a statement, continuing the company's marketing-spin habit of labeling customers as "guests."

"At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals," said Target. "This theft is not a new breach, but was uncovered as part of the ongoing investigation."

Target's statement doesn't make clear, however, if the 40 million previously affected cardholders are a subset of the new 70 million figure or if the revised breach count means that up to 110 million people were affected. A Target spokeswoman didn't immediately respond to an emailed request for clarification.

The growing number of people affected by the breach complicates efforts by Target CEO Gregg Steinhafel to rebuild trust with the company's customers. That said, the company did earn plaudits from some identity theft experts for quickly warning customers about the breach once it was discovered.

"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," Steinhafel said Friday in a statement. "I also want our guests to know that understanding and sharing the facts related to this incident is important to me and the entire Target team."

Target has yet to offer any details about how the information was compromised, and whether it involved an inside attack or an external hacker.

Target first publicly detailed the data breach on December 19, 2013, saying that during the 19-day heist, which began in late November, there was "unauthorized access" to 40 million credit and debit cards. But Target also warned that a related investigation was only in its early stages, meaning that the number of people affected by the breach, or types of data stolen, might be revised.

Some security experts said a surge of stolen card data began flooding cybercrime sites in early December, suggesting that many Target customers -- as well as users of the store's own REDcard debit and credit card accounts -- were at immediate risk of fraud. In fact, related fraud may have been what lead credit card issuers to spot signs of the breach and trace it back to Target.

Beyond fraud, now add phishing attacks to the list of concerns facing Target's data breach victims. Indeed, based on past attacks, it's a safe bet that anyone in possession of the up to 70 million Target customers' stolen names and email addresses will begin sending fake "security warnings," breach updates, or related emails to already worried Target customers. If you receive such emails, don't open any links in them -- or in any financial-related emails, for that matter.

The data breach, which Target revealed during the 2013 holiday shopping season, has taken a bite out of the company's revenues. The full extent of the financial fallout was hinted at Friday, when the company warned investors that post-breach sales had declined by between 2% and 6%. Target also said that it will close eight US Target stores in May.

Despite that fourth-quarter hit, post-breach sales have shown improvement in the last several days, Target said. But the company isn't off the hook yet financially. An update on fourth-quarter outlook released Friday by Target warned that the retailer may face significant related long-term costs.

"At this time, the company is not able to estimate the costs, or a range of costs, related to the data breach," Target said. "Costs may include liabilities to payment card networks for reimbursements of credit card fraud and card reissuance costs, liabilities related to REDcard fraud and card re-issuance, liabilities from civil litigation, governmental investigations and enforcement proceedings, expenses for legal, investigative and consulting fees, and incremental expenses and capital investments for remediation activities."

On the cost front, Target will offer a year of free credit monitoring and identity theft protection to any customer that shopped in its US stores, although the company has yet to specify the time period. Target will allow customers to enroll in the monitoring program beginning next week and for up to three months after it launches.

"We know this incident has been a confusing and stressful time for our guests, and for that we apologize," Scott Kennedy, president of Target's finance and retail services, said Friday in a statement. "We hope this offer provides them with additional peace of mind."

The NSA leak showed that one rogue insider can do massive damage. Use these three steps to keep your information safe from internal threats. Also in the Stop Data Leaks issue of Dark Reading: Technology is critical, but corporate culture also plays a central role in stopping a big breach. (Free registration required.)

Although Target is offering a year of free credit monitoring and identity theft protection in the wake of the breach, The Wall Street Journalreported this morning that the incident (along with another consumer credit card theft at Neiman Marcus) the Senate banking committee will be holding hearings in the coming weeks about the larger issue of who should bear responsibility for the costs of a cybersecurity breach. The Journal wrote:

Banks and credit unions have been pushing for years for legislation that would explicitly require the company responsible for a breach to cover its costs, but they have run into resistance from the retail industry, which argues that card issuers should improve their technology so cards can't be compromised.

Shout out to readers -- If credit card technology was more secure (e.g. smart cards), would identify theft decrease? Lets chat about it in the comments.

@Marilyn IBM predicts that in 5 years it will have the problem licked with what it calls a digital guardian. It explains it like this:

Protecting your patterns

Hopefully, it won't come to the point of a breach in the first place. IBM and its partners are layering in "always aware" intelligence. You can't be in two places at once. So, if the smartphone you accidentally left at a restaurant is being fondled by fraudulent fingers, the pervasive system will recognize the offender's different touch pattern (even if your phone is unlocked) and lock your account.

In another example, imagine two purchases: $40 at a gas station, and $4,000 at Tiffany & Co. Today's fraud monitoring might see the diamond purchase as highly suspicious, and ignore the charge at the pump. But your digital guardian will know that your car has a near-full tank of fuel; that you don't usually re-fuel until you're down to about one quarter tank; not to mention that you're at the office when this charge appears. It will also know that you've been shopping for an engagement ring and have been spending your lunch hour window shopping outside the store.

This and other emerging learning systems will know you, help you, and protect you as we continue to generate more and more data, and put more and more of our lives online.

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.